Source: https://www.ndc.gov.tw/Content_List.aspx?n=F98A8C27A0F54C30
(EN) Article 38 describes the specifics of the position of the Data Protection Officer (DPO). In particular, the emphasis is on the fact that DPO performs its work independently, while the responsibility for their timely and quality performance lies partly with the company itself (the controller or processor). Therefore, the text emphasizes that the company provides DPO with the necessary resources and access on the one hand, and is responsible for the independence of the DPO, not having the right to give them any instructions on the other.
In order to provide DPO with support, the company is recommended to ensure the following:
…
登入
访问全文
(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 6.1.1.
Here is the relevant paragraph to article 38 GDPR:
6.3.1.1 Information security roles and responsibilities
Implementation guidance
The organization should designate a point of contact for use by the customer regarding the processing of PII. When the organization is a PII controller, designate a point of contact for PII principals regarding the processing of their PII (see 7.3.2).
…
登入
访问全文
(97) 於下述情形時,就資料保護之法律與實務有專業知識者應協助 控管者或處理者內部監督本規則之遵守,亦即:當資料處理係由除了 法院和獨立司法機關執行其司法權之公務機關執行時、於私部門之處 理係由核心活動包括需要經常且有體系的監控大規模資料主體的控 管者所為之處理活動、或於控管者及處理者之核心活動包括處理大規 模特殊類型之個人資料及涉及前科及犯罪之資料時。在私部門中,控 管者之核心活動係連結到其主要活動,而與作為輔助活動之個人資料 處理無關。專業知識所需程度尤應依據所執行之資料處理活動及由控 管者或處理者處理之個人資料所需之保護而定。該等資料保護員,不 問是否為控管者之雇員,都應以獨立之態度堅守職位以執行其任務。
(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 13.2.4.
Here is the relevant paragraph to article 5(1)(f) GDPR:
6.10.2.4 Confidentiality or non-disclosure agreements
Implementation guidance
The organization should ensure that individuals operating under its control with access to PII are subject to a confidentiality obligation. The confidentiality agreement, whether part of a contract or separate, should specify the length of time the obligations should be adhered to.
…
登入
访问全文